Type tracking: Split up levelStep into levelStepNoCall and levelStepCall

To reduce non-linear recursion during call graph construction.
2026-04-28 10:15:14 +02:00 · 2022-10-10 13:56:48 +02:00
parent 0883b1782d
commit 2e8f46ddd9
2 changed files with 21 additions and 15 deletions
--- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll
+++ b/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll
@@ -186,7 +186,7 @@ private module Cached {
    jumpStep(nodeFrom, nodeTo) and
    summary = JumpStep()
    or
-    levelStep(nodeFrom, nodeTo) and
+    levelStepNoCall(nodeFrom, nodeTo) and
    summary = LevelStep()
    or
    exists(TypeTrackerContent content |
@@ -216,6 +216,9 @@ private module Cached {
    or
    returnStep(nodeFrom, nodeTo) and
    summary = ReturnStep()
+    or
+    levelStepCall(nodeFrom, nodeTo) and
+    summary = LevelStep()
  }
 }

--- a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
+++ b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -76,20 +76,28 @@ predicate simpleLocalFlowStep = DataFlowPrivate::localFlowStepTypeTracker/2;
 */
 predicate jumpStep = DataFlowPrivate::jumpStep/2;

-/**
- * Holds if there is a summarized local flow step from `nodeFrom` to `nodeTo`,
- * because there is direct flow from a parameter to a return. That is, summarized
- * steps are not applied recursively.
- */
+/** Holds if there is direct flow from `param` to a return. */
 pragma[nomagic]
-private predicate summarizedLocalStep(Node nodeFrom, Node nodeTo) {
-  exists(DataFlowPublic::ParameterNode param, DataFlowPrivate::ReturningNode returnNode |
+private predicate flowThrough(DataFlowPublic::ParameterNode param) {
+  exists(DataFlowPrivate::ReturningNode returnNode |
    DataFlowPrivate::LocalFlow::getParameterDefNode(param.getParameter())
        .(TypeTrackingNode)
-        .flowsTo(returnNode) and
+        .flowsTo(returnNode)
+  )
+}
+
+/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */
+pragma[nomagic]
+predicate levelStepCall(Node nodeFrom, Node nodeTo) {
+  exists(DataFlowPublic::ParameterNode param |
+    flowThrough(param) and
    callStep(nodeTo.asExpr(), nodeFrom, param)
  )
-  or
+}
+
+/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which does not depend on the call graph. */
+pragma[nomagic]
+predicate levelStepNoCall(Node nodeFrom, Node nodeTo) {
  exists(
    SummarizedCallable callable, DataFlowPublic::CallNode call, SummaryComponentStack input,
    SummaryComponentStack output
@@ -99,11 +107,6 @@ private predicate summarizedLocalStep(Node nodeFrom, Node nodeTo) {
    nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
    nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
  )
-}
-
-/** Holds if there is a level step from `nodeFrom` to `nodeTo`. */
-predicate levelStep(Node nodeFrom, Node nodeTo) {
-  summarizedLocalStep(nodeFrom, nodeTo)
  or
  localFieldStep(nodeFrom, nodeTo)
 }